GraphQL

GraphQL is an API query language that is designed to facilitate efficient communication between clients and servers. It enables the user to specify exactly what data they want in the response, helping to avoid the large response objects and multiple calls that can sometimes be seen with REST APIs.

Detection

Universal Queries

query{__typename}
# Response include the string:
{"data": {"__typename": "query"}}

Common Endpoint

• /graphql

• /api

• /api/graphql

• /graphql/api

• /graphql/graphql

• Also try appending /v1 to the path

• GraphQL services will often respond to any non-GraphQL request with a "query not present" or similar error.

Other

In general GraphQl only accept POST requests that have a content-type of application/json. However, some endpoints may accept alternative methods. Try with

• Universal Query using alternative HTTP methods.
• POST requests that use a content-type of x-www-form-urlencoded.

Discovering Schema Information

With PurpSuite:

• Right-click in Repeter and GraphQL > Set introspection query

• Right-click in Repeter and GraphQL > Set legacy introspection query

• Right-click in Response and GraphQL > Save GraphQL queries to site map

Use can also use GraphQL visualizer for a better view of the scheme.

Introspection Queries

Introspection is a built-in GraphQL function that enables you to query a server for information about the schema. Introspection helps you to understand how you can interact with a GraphQL API. It can also disclose potentially sensitive data, such as description fields. It is best practice for introspection to be disabled in production environments, but this advice is not always followed.

{"query": "{__schema{queryType{name}}}"}

When developers disable introspection, they could use a regex to exclude the __schema keyword in queries. You should try characters like spaces, new lines and commas, as they are ignored by GraphQL but not by flawed regex.

ex. Regex exclude: __schema{ Bypass: __schema\n{

Full Introspection Queries

You can get as much information on the underlying schema as possible. The example query below returns full details on all queries, mutations, subscriptions, types, and fragments.

query IntrospectionQuery {
        __schema {
            queryType {
                name
            }
            mutationType {
                name
            }
            subscriptionType {
                name
            }
            types {
             ...FullType
            }
            directives {
                name
                description
                args {
                    ...InputValue
            }
            onOperation  #Often needs to be deleted to run query
            onFragment   #Often needs to be deleted to run query
            onField      #Often needs to be deleted to run query
            }
        }
    }

    fragment FullType on __Type {
        kind
        name
        description
        fields(includeDeprecated: true) {
            name
            description
            args {
                ...InputValue
            }
            type {
                ...TypeRef
            }
            isDeprecated
            deprecationReason
        }
        inputFields {
            ...InputValue
        }
        interfaces {
            ...TypeRef
        }
        enumValues(includeDeprecated: true) {
            name
            description
            isDeprecated
            deprecationReason
        }
        possibleTypes {
            ...TypeRef
        }
    }

    fragment InputValue on __InputValue {
        name
        description
        type {
            ...TypeRef
        }
        defaultValue
    }

    fragment TypeRef on __Type {
        kind
        name
        ofType {
            kind
            name
            ofType {
                kind
                name
                ofType {
                    kind
                    name
                }
            }
        }
    }

Suggestions

You can sometimes use suggestions to glean information on an API's structure. Suggestions are a feature of the Apollo GraphQL platform: ex. There is no entry for 'productInfo'. Did you mean 'productInformation' instead?

Clairvoyance	Tool that uses suggestions to automatically recover all or part of a GraphQL schema, even when introspection is disabled.

Attacks

Send some test requests to understand more about how it works.

• IDOR
• Brute Force with Alias

• CSRF